Part of the reason our Bugzilla is a target for spammers is that our links lack any rel="ugc" or rel="nofollow" attribute. That means they can get some search engine power by spamming their links in comments or any metadata field that renders as a link, such as the "URL" field.
Here's more on rel= ugc/nofollow from Google:
While looking into this, I also noticed that our "URL" fields render with rel="noreferrer", but our comment links do not. I don't see any great reason to hide our bugzilla as the referrer on either type of link. I guess the reason is that our "URL" links have target="_blank", which for some convoluted reason presents a security problem. Again described by Google:
So my tl;dr suggestions, ordered by priority, are:
1. Add rel="ugc" to rendered comment links.
2. Add ugc to the URL field links. (Can other metadata create links to user-provided URLs? AFAIK, no.) That looks like: rel="noreferrer ugc", I believe.
3. Investigate and replace "noreferrer" with "noopener" in URL links -- I think it serves the same security purpose without breaking the HTTP "referer" header.
Nice report Conrad, thank you for the detail
I'll talk to upstream about this. It may be that this has been solved in one capacity or another. Worst case we can submit any improvements we make here upstream, and carry it locally until future release
Given the recentness (Sept 2019) of the nofollow changes (introduction of ugc, sponsored), it may be prudent to consider the first iteration of the improvement proposal to be to blanket use 'nofollow' (without granularity), until the situation settles and we have better indicators of what the implications might be, particularly with regard to a publishers 'explicit' desire to mark untrusted links for the purposes of reducing spam value of a site.
Also, given ugc/sponsored can be used in 'addition' to nofollow, we may want to consider 'nofollow ugc' as well.
Sure, "nofollow ugc" is fine, or even just "nofollow".